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REMARKS 

This Application has been carefully reviewed in light of the Office Action tranmitted 
04/09/2008 (the ''Office Action") Notice of Panel Decision from Pre-Appeal Brief Review 
mailed July 14, 2008 (the "Notice of Panel Decision"). Applicants respectfully request 
reconsideration and favorable action in this case. 

Section 103 Rejections 

The Examiner rejects Claims 1, 3, 5-8 and 24-35 under 35 U.S.C. § 103(a) as 
allegedly being unpatentable over Flurry et al. (US Publication No. 2003/0061512) 
("Flurry") in view of Mishra et al. ("Security Services Markup Language", January 8 5 2 001 
("Mishra"). The Examiner further rejects Claim 36 as allegedly being obvious over Flurry 
in view of Mishra and further in view of U.S. Pat. No. 6,609,198 to Woods et al. ("Woods"). 
Applicants have added Claims 37 and 38 and amended Claim 7. Applicants respectfully 
traverse these rejections. 

I. In Flurry, the alleged "Agent" generates the alleged "session ticket ID," and 
therefore, the alleged "Agent" does not intercept the session ticket ID as required 
by Claim 1. 

Claim 1 is allowable at least because the cited references do not disclose teach or 

suggest the following combination of limitations: 

intercepting at the agent a second request to grant the web service 
customer access to the second web service, the second request comprising 
the assertion and a signature associated with a private key. 

as recited in Claim 1. In the Office Action, the Examiner rejects these limitations by relying 
on sections of Flurry which recite, "[b]ecause the ASP aggregator has already authenticated 
the client/user, the ASP aggregator would immediately generate the application 
authentication token that is needed by the client/user with respect to the second aggregated 
application." See Office Action, page 4 (citing Flurry, page 9, paragraphs 88-90). However, 
the Examiner's reliance on Flurry to teach these limitations is incorrect. 

As Applicants previously pointed out in a previous response dated 01/03/2008 (the 
"Previous Response"), the assertion of Claim 1 includes a session ticket ED. The Examiner 
identified Flurry y s "Application Identification Token" as the session ticket ID of Claim 1. 
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Office Action, page 4, lines 17-22. However, regardless of whether Flurry's Application 
Authentication Token teaches a session ticket ID, which Applicants do not address, the 
above-quoted passage of Flurry makes it clear that the Application Authentication Token is 
generated by the ASP aggregator (the alleged Agent) after the alleged second request is 
received. Thus, since the Application Authentication Token of Flurry is generated after 
receiving the alleged second request, it cannot be intercepted as part of the alleged second 
request as would be required to teach the limitations "intercepting at the agent a second 
request to grant the web service customer access to the second web service, the second 
request comprising the assertion and a signature associated with a private key" as recited in 
Claim 1. 

Though Flurry recites that the Application Authentication Token is generated 
"because the ASP aggregator has already authenticated the client/user," Flurry makes no 
disclosure as to how the ASP aggregator makes this determination or as to what information 
is received by the ASP aggregator in the alleged second request. The portions of Flurry cited 
by the Examiner do not clarify the issue because they relate to an "Aggregator Token" that is 
received and processed at an Aggregated Application rather than at the ASP Aggregator. 
Office Action, page 3, lines 8-11 (citing Flurry Paragraphs [0076]-[0080]). Flurry lacks any 
detail as to the information included in the alleged second request to the ASP aggregator and 
consequently fails to disclose, teach, or suggest, "intercepting at the agent a second request to 
grant the web service customer access to the second web service, the second request 
comprising the assertion and a signature associated with a private key" as recited in Claim 
1. 

Mishra does not account for these deficiencies. While the Examiner argues that 
"Mishra teaches an ASP aggregator that provides its users with seamless access to all ASP's 
as part of its trusted relationship;" see Office Action, page 3, lines 11-13 (citing Mishra pages 
7-8), Applicants respectfully point out that the portions of Mishra cited by the Examiner fail 
to disclose teach or suggest "intercepting at the agent a second request to grant the web 
service customer access to the second web service." Rather, Mishra states that when a user 
logs onto Site A and then clicks on a link to a resource at site B, "Site B must check the 
received name assertion for validity." See Mishra page 8, lines 1-3. Applicants respectfully 
contend that the cited portions of Mishra do not support the Examiner's rejection because a 
scenario wherein "Site B must check the received name assertion for validity" does not 
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disclose teach or suggest "intercepting at the agent a second request to grant the web 
service customer access to the second web service" as recited in Claim 1 . 

For at least these reasons, Applicants respectfully contend that Claim 1 and each of its 
dependent claims are in condition for allowance. For analogous reasons, applicants 
respectfully contend that Claims 7, 26, and 32 and each of their dependent claims are in 
condition for allowance. 



II. The proposed Flurry-Mishra-Woods combination is improper. 

Claim 36 is directed to the method of Claim 1 wherein "the second request is 
intercepted at the agent before reaching the second web service." 

To reject these limitations, the Examiner argues that the call flow of Flurry could 

somehow be combined with the system of Woods such that the alleged second request of 

Flurry is intercepted by the alleged agent of Flurry before reaching the alleged second web 

service of Flurry, Office Action page 8, lines 6-10. However, Flurry directly teaches away 

from this combination, stating rather that the alleged second request is redirected to the 

alleged agent after being received by the alleged second web service, as explained below. 

In this scenario, the user may have been authenticated by the ASP 
aggregator and may have interacted with a first aggregated application. At 
some later point in time, in a manner similar to that described above with 
respect to FIGS. 5A-5B, the user may attempt to interact directly with a 
second aggregated application using some type of saved session-specific 
information, e.g., a bookmarked URL that is associated with the second 
aggregated application. Since the user has attempted to interact directly with 
the aggregated application without the intermediate step of using the 
application workspace page, the second aggregated application would not 
receive an application authentication token along with the client/user 
request. The second aggregated application would receive and examine the 
aggregator token, after which the client/user would be redirected to the 
ASP aggregator. 

Without conceding whether the Examiner's proposed combination is even technically 
possible, it directly contradicts the teachings of Flurry, and according to the MPEP, it is 
improper to combine references where the references teach away from their combination. 
MPEP §2145. Consequently, Applicants respectfully contend that one or ordinary skill in the 
art would not have been motivated to combine Flurry, Mishra, and Woods in the manner 
proposed by the Examiner. 
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III. Flurry does not disclose, teach, or suggest that the alleged second request 
originates at the first web service as recited in Claim 25. 

Claim 25 is directed to the method of Claim 1 "wherein the first request originates at 

the web service customer and the second request originates at the first web service." To 

reject these limitations, the Examiner relies on a user-initiated request for access to a second 

web service described in Paragraphs [0087] - [0090] of Flurry. Regardless of whether these 

paragraphs disclose a first web service or a second request, which Applicants do not address, 

these two paragraphs fail to disclose that the second request originates at the first web 

service as recited in Claim 1. Rather, in Flurry the user originates the alleged second 

request as demonstrated at Paragraph [0087] of Flurry reproduced below: 

In this scenario, the user may have been authenticated by the ASP 
aggregator and may have interacted with a first aggregated application. At 
some later point in time, in a manner similar to that described above with 
respect to FIGS. 5A-5B, the user may attempt to interact directly with a 
second aggregated application using some type of saved session-specific 
information, e.g., a bookmarked URL that is associated with the second 
aggregated application. Since the user has attempted to interact directly with 
the aggregated application without the intermediate step of using the 
application workspace page, the second aggregated application would not 
receive an application authentication token along with the client/user request. 
The second aggregated application would receive and examine the aggregator 
token, after which the client/user would be redirected to the ASP aggregator. 

(emphasis added). The above-cited portions of Flurry disclose that a user, rather than the 
alleged first web service, originates the alleged second request. That the second request is 
routed to the ASP aggregator (the alleged agent) through the second aggregated application 
(the alleged first web service) does not change the fact that the user originated the second 
request. For at least these reasons, Flurry fails to disclose, teach, or suggest that "the first 
request originates at the web service customer and the second request originates at the first 
web service" as recited in Claim 25. 

Consequently Applicants respectfully contend that Claim 25 is in condition for 
allowance. For analogous reasons Applicants further contend that Claims 31 and 35 are in 
condition for allowance. 
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IV. References to Hallam-Baker 

Applicants further note that in the Office Action, the Examiner interchangeably refers 
to both Hallam-Baker and Flurry while citing only to sections of Flurry. See e.g., Office 
Action, pages 7-8. Applicants assume that the references to Hallam-Baker were accidental 
since no applicable page number or sections from Hallam-Baker were ever cited. Moreover, 
to the extent that the Examiner was relying on Hallam-Baker, Applicants respectfully request 
the Examiner to more specifically identify the portions of Hallam-Baker to which the 
Examiner was referring. 

New Claims 

Applicants have added new Claims 37 and 38 which are fully supported by the 
Specification as originally filed and add no new matter. Applicants respectfully contend that 
references cited by the Examiner fail to disclose, or even teach or suggest, either alone or in 
combination, the combination elements recited in these claims. As one example, Claims 37 
and 38 each depend from an allowable independent claim, as discussed above. As another 
example, none of the references cited by the Examiner teach that the first request originates at 
the web service customer and the second request originates at the first web service and "the 
second request is intercepted at the agent before reaching the second web service" as recited 
in Claim 37. Further, none of the references cited by the Examiner teach "determining at the 
agent whether the public key matches the private key" as recited in Claim 38. 

No Waiver 

Applicants have merely discussed example distinctions from the references cited by 
the Examiner. Other distinctions may exist, and Applicants reserve the right to discuss these 
additional distinctions in a later Response or on Appeal, if appropriate. By not responding to 
additional statements made by the Examiner, Applicants do not acquiesce to the Examiner's 
additional statements. The example distinctions discussed by Applicants are sufficient to 
overcome the Examiner's rejections. 
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CONCLUSION 



Applicants have made an earnest attempt to place this case in condition for allowance. 
For the foregoing reasons, and for other apparent reasons, Applicants respectfully request full 
allowance of all pending Claims. If the Examiner feels that a telephone conference would 
advance prosecution of this Application in any manner, the undersigned attorney for 
Applicants stand ready to conduct such a conference at the convenience of the Examiner. 

Applicants hereby take an extension of time to accompany this RCE for two months 
from September 3, 2008 to November 3, 2008. 

The Commissioner is hereby authorized to charge the $810.00 RCE fee, the $490.00 
Extension of Time fee, and to the extent necessary, charge any additional fees or credit any 
overpayments to Deposit Account No. 02-0384 of Baker Botts L.L.P. 



Respectfully submitted, 



BAKER BOTTS L.L.P. 




Reg. No. 45,003 
Phone: (214) 953-6655 



Date: 



CORRESPONDENCE ADDRESS: 



Customer Number: 05073 
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